PHP needs 'use strict;'

I have heard so often that Perl is a bad language and you should never use it. Recently a college friend of mine switched to PHP, and was trying to convince me that PHP was the best thing in the world. They have all sorts of pre-built applications and libraries that make it easy to do things (sounds a little like the CPAN).

I told him about my one major roadblock with PHP. My problem is in the following code, and yes this code actually caused me trouble, this isn't a hypothetical situation:

I was dealing with a table of customer information. I had imported some production data into the test instance, and was working away. After some time, I found that any record I touched, the Zip code was replaced with an empty string ''. I checked where the assignment was happening:

$ZipCode = $GET['ZipCode'];(or however you get things from GET parameters, its been so long.)

Now if you see the problem after the first time through, then you are more fortunate than I.

For those that don't see the problem here, there is a case sensitivity issue here between $ZipCode and $ZIPCode.

I spent half a day working on this problem that would have been solved in Perl with 'use strict' or VB with 'option use explicit' or would have never happened in C or C++ or just about any compiled language.

My friend told me that this is solved by being careful, and having good coding standards. I agree that it may be mitigated by good coding standards, but what will prevent me from fat-fingering the word $ZipoCode, or any of the possible permutations on that. No amount of code standards fix a fat fingered spelling. This is fixed at run time with the interpreter saying 'WHOA JIMMY, WHATCHA DOIN?' If PHP had something like 'use strict' then I might very well be a very sloppy PHP programmer right now, but alas my senior developer suggested that I try re-writing what I had in a different language and see if that is better.

So, in conclusion: I do not consider a language useful or 'good' until it has something that can tell me explicitly that I am using two variables here:$ZipCode $ZIPCodeand not just fill one with an empty string an move on.

I am not against PHP, but I cannot recommend it as a language to solve any problem until this is solved.

As a Perl programmer, I am comfortable in my little nest that I have created, but I feel that must not ignore all the other languages out there simply because I like my language. You probably know the phrase: "When all you have is a hammer, all your problems begin to look like nails." As such I want to keep open to learning other languages, but the lack of variable name declaration is one way to keep me away.

This makes me sad, I haven't done more than a 'hello world' in each of these languages, but I figured that since they were both modern languages, I assumed that they would have basic variable declarations.

Unfortunately, $ZIPCode vs $ZipCode is not your only problem. You are using string substitution where you should be using a placeholder:

$sql = "UPDATE customers set ZipCode = $ZipCode WHERE ...";

should be

$sql = "UPDATE customers set ZipCode = ? WHERE ...";

This makes the statement generic (it can be executed many times with different zipcodes) and safer (proper quoting rules will be used). Imagine what would happen if the user puts "0; drop table customers; --" in the zipcode field. The first will drop the table, the second will issue an error saying that the type was wrong.

This brings up another thing in Perl as good as the strict pragma: taint mode. Read perldoc perlsec for information about it.

While the code you refer to looks like Perl, it was actually PHP. I do not know if there is a proper and safe way do to this in PHP besides escaping characters and hoping you got them all.

I was a very new programmer, but even then I knew about sql injection and my Perl program that is still in use six years later had a wrapper around CGI::param() that would strip out unsafe characters. I learned that this was wrong after the project was finished, and I didn't have time to go back and fix all the code that was done improperly. I also tried to sql injection myself, and my version of mysql didn't/wouldn't correctly parse the statement if there was a semicolon in it. I know it still could have exposed data, but at least it the ';drop table customers;-- doesn't work.

In short:
1. this was PHP code, and I don't know if there was a better way, and
2. I didn't know how to do it right in Perl at the time, but I was aware of the potential problems, ansd was as safe as possible.

This is problem with any programming language - case sensitivity is just a given, and it takes some time to become careful enough to make sure things are spelt correctly. An IDE with code completion also helps.